Centos: creating new ADS samba share

active-directorycentossamba

I followed several guides to set up samba sharing on our domain. I've got it working where I can join the domain, list the shares, and connect to the samba share from windows. When I connect from windows, I am dumped into the user home directory and can read/write.

I'm trying now to create a new separate share on Samba to use via windows. I created the folder, added it to smb.conf, but can not access the share from windows no matter what. smb.log has zero info nor messages or any log under /var/log/samba. When I try to connect to the new share from windows in Explorer, I am prompted for username password and upon entering am just met with the un/pw prompt again. Via cmd net use, I get an error stating the password is invalid: "The password is invalid for domain/user".

smb.conf

[global]
workgroup = MYDOMAIN
netbios name = samba
server string = Samba Server 3.0
security = ads
realm = MYDOMAIN.LOCAL
password server = 192.168.1.11
encrypt passwords = yes
printcap name = /etc/printcap
load printers = no
printing = cups
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
domain master = no
preferred master = no
dns proxy = no
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
create mode = 0664
directory mode = 0775
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes 

[newShare] 
comment = NewShare Share 
path = /home/share/newShare/ 
valid users = @"MYDOMAIN.LOCAL\Domain Users"
public = no 
writable = yes 
printable = no 
create mask = 0765

It's likely I don't have permissions set right on the directory I created; ownership is root:root and 0755, but I didn't see any good examples of how it should be in the millions of tutorials I looked through. However, I'm not sure that would cause the invalid password error.

smb.log:

[2012/01/13 11:06:42, 0] smbd/server.c:main(958)
  smbd version 3.0.33-3.29.el5_7.4 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2008
[2012/01/13 11:14:22, 0] smbd/server.c:main(958)
  smbd version 3.0.33-3.29.el5_7.4 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2008
[2012/01/13 11:29:26, 0] smbd/server.c:main(958)
  smbd version 3.0.33-3.29.el5_7.4 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2008

[not helpful]

I'm not sure at this point where to try and look for the problem.

Oh, I also messed with selinux stuff as a result of find here on SF. It didn't break anything, but it didn't fix anything either. [chcon and semanage fcontext stuff]

Best Answer

After much tinkering, I was able to get it to work. I'm not sure the exact constellation of changes that got things working, but I think it was at least in part due to upgrading samba to 3.4.

Some things:

make sure clocks are in sync;

allowed users = @"DOMAIN+Domain Users"

setting WINS helped; name resolution is important

log level = 2

OH! and after upgrading samba, winbindd seemed to have disappeared... needed to reinstall

Related Solutions

Linux – Problem connecting to a Samba server with share mode security

I think that you need to re-examine whether share-mode security is what you actually need for this problem. Share mode security means that a password is used to authenticate to a share, not a username/password combination.

If you want to allow multiple users (logging in as themselves) access to modify the files then you need to use user level security.

If you want to allow anybody that knows the magic password to see the share, then share mode security is right for you.

See the Samba Documentation for more information on share level security.

Samba Permissions – I’m going to throw it!

This might help. I do something similar, but only one share is open to the group's users. Other shares are read-only except for a single maintainer user. The [global] section of my smb.conf is almost identical to yours, except I don't use the force create/directory mode directives (in my case, they'd interfere with the other shares).

Here's the share definition:

[shared stuff]
        comment = blah, blah, etc
        path = /path/to/share
        write list = @sambagroup
        force group = +sambagroup
        read only = yes
        directory mask = 0775
        create mask = 0664
        guest ok = yes
        invalid users = root
        case sensitive = True
        default case = lower
        preserve case = yes
        short preserve case = yes

The important stuff here are these:

read only = yes -- by default, read only.
guest ok = yes -- guests can browse.
write list = @sambagroup -- Authenticated members of sambagroup can write.
force group = +sambagroup -- The + means that the force only applies to existing members of sambagroup. They're already the only ones who can write. I think, without the +, guest is given sambagroup credentials, which is not wanted (particularly with the write list directive above).
directory mask = 0775
create mask = 0664

These do exactly what you want yours to do: "drwxrwxr-x" on directories, "rwxrwxr-x" on files, and newly created files are owned by the user and sambagroup. The maintainers of the other shares get the same permissions as everyone else when working in shared stuff, and permissions & groups are normal when they work in the other shares.

My smb.conf has been working with only minor tweaks through several different versions of Samba, and currently is used with Samba 3.2.5. I never had it running on Ubuntu 8.04, but it ran on Ubuntu 7.04 for a long time before getting migrated to a recent Debian Lenny install.

Best Answer

Related Solutions

Linux – Problem connecting to a Samba server with share mode security

Samba Permissions – I’m going to throw it!

Related Topic